Firewall Allow all traffic on lan

yes, i did do that. the first two lines in my snippet are with the fw off. that is the only entry during playback.

i can't figure this out at all. there is something being blocked by the fw, but it's not port 5353, and it's not the multicast range or the 192 range, it doesn't seem to be ip at all actually, probably more like an arp layer thing from the entry in the terminal. it seems that the routing table is not longer accessible by the server or something and it can't resolve x.168.0.5 while the fw is on (?)-- i wonder if making that airport a manual ip would solve the issue..??; in any case i can't find any mention of arp related to ipfw.

all i know is it finds the airport fine with the fw off, but won't let me select it when the fw is on.

dtich wrote:
yes, i did do that. the first two lines in my snippet are with the fw off. that is the only entry during playback.

Hmm, maybe try it with just "tcpdump -ni en0". The packets obviously aren't being directed to 192.168.0.5 -- you should see lots of packets while music is playing.

To me it looks like your machine has the IP 192.168.0.5 or the tcpdump wouldn't look like that.

"airport express's are 192.168.0.5 and 6."

Message was edited by: Leif Carlsson

right, but see this entry after fw is turned on:

10:57:19.020375 arp who-has 192.168.0.5 tell 192.168.0.1

it seems that it can no longer resolve. i've tried converting the expresses to manually assigned ips, made no difference.

there is something in ipfw that is blocking the connection to the airports, i'm not sure what is going on at all, or if it is really ip related. as i said, i can have the firewall on but set to allow all traffic from any, and the connection is still not made. i've tried advanced rules, ip groups, ports, everything i know how to do, i can't decipher this issue.

if anyone has any idea what else to try, or better yet an actual explanation and solution, i'd be most grateful. this is quite annoying and really i can't see any reason for it. i'm still hoping this is just something above my head and that i don't have the understanding and that the fix is easy. but....

thanks again to those who are working this w/ me.

i'd also be curious to see if anyone has or can duplicate this issue. the setup is simply

server -> router -> airport xpress.

w ipfw turned on on the server, which is where itunes and the music library reside, i cannot playback or even select remote airtunes speakers. with ipfw disabled, works fine as usual. i can access all other server services, mail, chat, automation, etc etc, even share itunes library, just can't access the expresses.

tia!!

Message was edited by: dtich

dtich wrote:
there is something in ipfw that is blocking the connection to the airports, i'm not sure what is going on at all, or if it is really ip related. as i said, i can have the firewall on but set to allow all traffic from any, and the connection is still not made.

Another couple commands to try out are:

ipfw zero
(zeros the counters)

ipfw show
(shows the active rules with counters)

Both of these commands need to be run as root. With the firewall on, you can run the 'ipfw zero' to clear things out, then try your iTunes stuff, then run 'ipfw show' and look for deny lines where the packet count (second column) is non-zero. These lines should hopefully give clues to what packets are being rejected.

Does your network port configuration page show the possibility of setting up a VLAN?

i will check that terry, perhaps that could help. otherwise i'm a little out of ideas.

i'm also hoping that the update to os10.5.1 might fix this. there is mention in the seed notes of a firewall fix.

[fingers x'd]

10.5.1 did not change this issue.

so, tried ipfw zero and show, got no deny's in the rules list. there were a few deny rules, but no packets in either column. i ran it for about 15 mins. itunes on. itunes off. firewall on, firewall off. i did see lots of packets allowed in the 5353 port, multicast, as expected. but i couldn't find an entry that was related, only to say that even when the airtunes connection was refused packets were still flowing in udp5353... so.. it thought it was sending them.. i get nothing on the allow rules for 224xxx, which is odd, because the tcp dump shows that is the address that this process is working on:

--IPFW ON--
*16:10:39.407887 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0 (Cache flush) A 192.168.0.5,[|domain]*
*16:12:18.026616 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0 (Cache flush) A 192.168.0.5,[|domain]*
--IPFW OFF--
*16:12:59.086113 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0 [2q][|domain]*
*16:13:00.076391 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0 [2q][|domain]*
*16:13:02.079234 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0 [2q][|domain]*
*16:13:06.078753 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0 [2q][|domain]*
--IPFW ON AGAIN--
*16:13:47.493542 arp who-has 192.168.0.10 (00:00:83:aa:96:8f) tell 192.168.0.5*
*16:13:47.493593 arp reply 192.168.0.10 is-at 00:16:cb:a9:33:ac*
*16:13:47.494174 IP 192.168.0.5.1160 > 192.168.0.10.123: NTPv1, Client, length 48*
*16:13:47.494391 IP 192.168.0.10.123 > 192.168.0.5.1160: NTPv1, Server, length 48*
*16:13:56.626805 IP 192.168.0.5.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0 (Cache flush) A 192.168.0.5,[|domain]*

the bottom line is: firewall off, music playing, express selected, express plays... firewall on -- music stops. the packets still flow if the connection was already established, but they don't make it to the express (or express doesn't play)... firewall off, music starts again. lol.

i don't know what the numbers are exactly in this, but the "[2q]" seems to indicate things are flowing fine, the "[0q]" is when they aren't. what does: "3/0/0" refer to? the traffic, which the dump says is on 224xxx, does not get reflected in the allow or deny rules at any time that i can see.

so....

it's going out on the multicast as it should, but even though the 5353 port is open to all traffic:

12352 0 0 allow tcp from any to any dst-port 5353
12352 3 491 allow udp from any to any dst-port 5353

and the ip range is open to all outgoing:

12364 1 64 allow ip from 192.168.0.0/24 to any via en0 keep-state
12364 0 0 allow ip from 224.0.0.0/24 to any via en0 keep-state (and the inverse)

besides, all traffic to and from lo0 is open.

but even though i've opened the port and the ip involved in the firewalls, it doesn't connect. if it is connected and playing, and then the fw is engaged, i get one more buffer's worth of music, and then it stops.

i really think this is a dns/arp issue. somehow. the entry in the terminal for one thing, and then when the firewall is on, and i try to select the express, i see allow packets in the to 224.x.x.x rule. (server admin also shows this dump with auto refreshes and is a lot easier to use that the terminal in this case..) so, this is it trying to establish a link with the express, but that's the only traffic i see on this address range. then i see the server ping my dns service (opendns.org), like it is looking for the express.

i just don't know enough. or, it's a f-ing bug, which... lordy, if it isn't, it should be.

I am having exact same problem, same setup, same behavior and would be really glad if someone has come up with the answer. Thanks

It seems I was wrong about how the tcpdump output looks - sorry about that.

192.168.0.10 is the server?


I did a test to my AirPort Express and it seems my computer sent the data (streaming music) on port 6000 TCP.

I also used Wireshark to look at the traffic and the ttl is set very low so it probably won't survive any router (you could't find the Express "speaker" anyway ?).

So if the server is doing the sending port 6000 TCP must be allowed to send data out to that port (from any port number).

Can't find it mentioned here though:

http://docs.info.apple.com/article.html?artnum=106439


The server interfaces is both connected to the same LAN?

I don't understand your setup description: "server -> router -> airport xpress."

Do you mean the router is bridging between ethernet and wireless on the LAN side (must be)?



"10:57:19.020375 arp who-has 192.168.0.5 tell 192.168.0.1"

The arp table is renewed every couple of minutes - normal behaviour.

If you do arp -a you get current list This list will gain and lose macaddresses according to when you last had a conversation with each device.

GLank wrote:
Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.

in the past i have opened up ports 67 and 68 on "any" (probably just 67 would be fine) for this exact reason -- clients that don't have an IP yet won't be allowed to connect to the DHCP server since they don't have 192.168-net address, so the "allow all traffic" rule for 192.168-net doesn't apply yet.

so, same as you i'd like to be able to open all traffic on en1 (the LAN side) in the way that we open all traffic to 192.168-net machines (i.e. have the firewall operate at the physical level, not the IP level).

but since i haven't found a way to do this, and since i really don't want to give DHCP addresses out to the whole world, i've set up a new address group 169.254.0.0/16 and opened up only ports 67/68 for that group. this seems to be working fine -- machines with a self-assigned IP can connect to DHCP and get a 192.168-net IP and then at that point they can do other stuff on the network. i think it's possible to increase security a bit more and deny all packets coming from 169.254-net via the WAN interface.